Business leaders care about how security risks can impact their revenue, customers, reputation, or operations. They care about outages, customer churn, regulatory fines, and competitive disadvantage, and not about which ransomware family is exploiting which kernel vulnerability. The disconnect here isn’t because those outside of security don’t care about details, but because many don’t see these details as relevant.
This is key right here. Translating security risks and benefits into business impact whether positive or negative is what speaks to the CEO, CFO and the board.
I usually say, "Cybersecurity does not happen in the implementation; it happens in the conversation". We need to understand that conversation is the unit of communication. If we create better conversations, we may have better cybersecurity. At the end is an environment of trust that we create, not cybersecurity
I believe that's why translating cyber risk to $$ risk using models like FAIR are important. Boards and public need to be able to understand this risk in familiar terms.
Business leaders care about how security risks can impact their revenue, customers, reputation, or operations. They care about outages, customer churn, regulatory fines, and competitive disadvantage, and not about which ransomware family is exploiting which kernel vulnerability. The disconnect here isn’t because those outside of security don’t care about details, but because many don’t see these details as relevant.
This is key right here. Translating security risks and benefits into business impact whether positive or negative is what speaks to the CEO, CFO and the board.
I usually say, "Cybersecurity does not happen in the implementation; it happens in the conversation". We need to understand that conversation is the unit of communication. If we create better conversations, we may have better cybersecurity. At the end is an environment of trust that we create, not cybersecurity
I believe that's why translating cyber risk to $$ risk using models like FAIR are important. Boards and public need to be able to understand this risk in familiar terms.
Vendors mastered the art of selling fear wrapped in buzzwords. Boards nod, budgets flow, dashboards pile up. Yet breaches keep happening.
The problem isn’t a lack of technology - it’s the theater. Until security stops selling acronyms and starts speaking human, the gap stays wide open.